Researchers have discovered major security vulnerabilities in PGP/GPG and S/MIME email encryption in Apple’s stock Mail client on iOS and macOS along with Mozilla’s Thunderbird. The vulnerabilities will allow attackers to gain access to plain text from encrypted emails.
As for the vulnerabilities discovered, an attacker can take advantage of it if he gets an encrypted email from one person. He can then send the encrypted text back to the sender to get the plaintext without needing their private encryption keys. The vulnerability has been called as “Efail” and relies on how these email clients render HTML content.
Ironically, corporates sometimes use S/MIME and PGP to send encrypted emails. However, it is important to note here that the vulnerability exists because of how these email clients render HTML content and not with the standard itself.
The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.
The issue can be resolved by a software update from Apple for its mail clients which the company is likely already working on. Given that the vulnerabilities are now getting media attention, I’d expect Apple to roll out a fix for them within this week itself.
If you make use of PGP and S/MIME to send encrypted emails, it is recommended that you turn off the option to load remote content in Apple’s mail app.
Make sure to head over to the source link below to read more about the Efail exploit as well.